cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

688
Views
1
Helpful
3
Replies
Andreas Falk
Beginner

Manage mac addresses in ODBC, LDAP or internal store?

Hi,

Today we are using LDAP to manage our mac addresses for mab auth.
When 2.1 was introduced with customAttributes we started to look at moving all mac addresses back into ise internal store.


But after some testing it seems that we have encountered an issue with having all macaddresses in the internal store.
[ers api filter on custom attributes?]

So now we are looking at the possibility to switch store to ODBC. It is pretty easy to continue our webui work against an ordinary db.


Do you guys know if there is any performance drop when using ODBC(in our case probably postgresql) or LDAP against ISE internal store?
We have est. 10k endpoints in the mac db today.

--
Regards Falk

1 ACCEPTED SOLUTION

Accepted Solutions
Craig Hyps
Advocate

MAB testing against Internal vs LDAP were fairly on par with Internal performing better.  No details on ODBC as external ID store for MAC auth as less common scenario, although valid.

View solution in original post

3 REPLIES 3
Craig Hyps
Advocate

MAB testing against Internal vs LDAP were fairly on par with Internal performing better.  No details on ODBC as external ID store for MAC auth as less common scenario, although valid.

Today we use a openldap cluster with one provider and three consumers, and haproxy/keepalived as lb fronting our ise radius servers.
It works and handles the load with no problem, but the complexity is daunting.


But after a hit and miss with the internal datastore and ERS api, I'll try to read up on ODBC, postgresql and ISE.

A postgresql cluster is easier to manage, backup and integrate with than openldap, imho.

I'll do some testing and see if I can get some performance numbers with both of them. But it's hard to do a correct test, when you got to have a huge environment to just get ISE working with the right amount of devices

--
Regards Falk

We also added enhancements to LDAP scale and HA in recent releases via

* Per PSN LDAP configs with Primary//Secondary settings per node

* Option to force nodes to retrigger DNS lookup to allow new LDAP server assignment every interval.

/C

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube